Blind SSRF in Nextcloud News RSS/Atom Feed Reader
CVE-2026-44515

2.3LOW

Key Information:

Vendor: Nextcloud
Status: News
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-44515?

The Nextcloud News RSS/Atom feed reader prior to version 28.3.0-beta.1 suffers from a severe server-side request forgery (SSRF) vulnerability. This allows authenticated users to submit URLs that point to internal or private IP ranges, including localhost. As a result, the Nextcloud server can unintentionally make HTTP requests to these internal locations without relaying the output, enabling an attacker to probe or scan network services linked to the Nextcloud instance. This vulnerability compromises the security of the internal network, making sensitive resources potentially discoverable. The issue has been addressed in version 28.3.0-beta.1.

Affected Version(s)

news < 28.3.0-beta.1

References

https://github.com/nextcloud/news/security/advisories/GHS...

x_refsource_CONFIRM

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 6, 2026

CVE-2026-44515 Data

JSON